across cloud computing governance and risks may 2010
TRANSCRIPT
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
1/20
Cloud Computing
1
Marc Vael ISACA BelgiumAcross May 2010
Cloud ComputingAn insight in the Governance & Security aspects
Marc Vael
Introduction
Security
Governance
Risks
Compliance
Recommendations
References
AGENDA
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
2/20
Cloud Computing
2
Marc Vael ISACA BelgiumAcross May 2010
Peter Hinssen, The New Normal, 2010
Peter Hinssen, The New Normal, 2010
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
3/20
Cloud Computing
3
Marc Vael ISACA BelgiumAcross May 2010
Peter Hinssen, The New Normal, 2010
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
4/20
Cloud Computing
4
Marc Vael ISACA BelgiumAcross May 2010
Introduction
Security
Governance
Risks
Compliance
Recommendations References
AGENDA
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
5/20
Cloud Computing
5
Marc Vael ISACA BelgiumAcross May 2010
Analyzing Cloud Computing Security
Cloud computing = outsourcing on steroids
Security elements related to outsourcing!
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2010
Considerations in Cloud Computing Service Models
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
6/20
Cloud Computing
6
Marc Vael ISACA BelgiumAcross May 2010
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2010
Considerations in Cloud Computing Deployment Models
8 General Cloud Computing Security Advantages
1.Benefits of scale
2.Provider market differentiator
3.Standardized interfaces for Managed Security
Services
4.Rapid & Smart scaling of security resources
5.Security audit & evidence gathering
6.Timely & effective & efficient updates & defaults7.Security risk management
8.Resource concentration benefits
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
7/20
Cloud Computing
7
Marc Vael ISACA BelgiumAcross May 2010
1. Migrating PII & sensitive data to the cloud EU Data Protection Directive & U.S. Safe Harbor program Exposure of data to foreign government & data
subpoenas
Data retention & records management issues
Privacy Impact Assessments (PIA)
2. Identity & Access Management
3. Multi-tenancy
4. Logging & Monitoring
5. Data ownership /custodianship6. Quality of Service guarantees
7. Securing hypervisors (BluePill)
14 Specific Cloud Computing Security Challenges
8. Attracting hackers (high value target)
9. Security of virtual OS in the cloud
10.BCP / DRP
11.Data encryption & key management Encrypting access to cloud resource control interface
Encrypting administrative access to OS instances
Encrypting access to applications
Encrypting application data at rest
12.Public cloud vs. Internal cloud security13.Lack of public SaaS version control
14.Using SLAs to obtain cloud security Suggested requirements for cloud SLAs
Issues with cloud forensics & e-discovery
14 Specific Cloud Computing Security Challenges
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
8/20
Cloud Computing
8
Marc Vael ISACA BelgiumAcross May 2010
Introduction
Security
Governance
Risks
Compliance
Recommendations References
AGENDA
5 Key Governance issues around Cloud Computing
Transparency : providers must demonstrate
existence of effective & robust security controls,
assuring customers their information is properly
secured against unauthorized access, change &
destruction. How much transparency is enough?
What needs to be transparent?
Will transparency aid malefactors?
Which employees (of the provider) have access to customer
information? Is Segregation of Duties (SoD) between provider employees
maintained?
How are different customers information segregated?
What controls are in place to prevent, detect and react to
security breaches?
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
9/20
Cloud Computing
9
Marc Vael ISACA BelgiumAcross May 2010
5 Key Governance issues around Cloud Computing
Compliance : concerns with cloud computing that
data may not be stored in 1 place & may not be
easily retrievable.
Ensure that, if data are demanded by authorities, data
can be provided without compromising other
information.
Audits completed by legal, standard and regulatory
authorities themselves demonstrate that there can be
plenty of overreach in such seizures.
When using cloud services, there is no guarantee that
an enterprise can get its information when needed, and
some providers are even reserving the right to withhold
information from authorities.
5 Key Governance issues around Cloud Computing
Trans-border information flow : When information
can be stored anywhere in the cloud, the physical
location of the information can become an issue.
Physical location dictates jurisdiction and legal
obligation.
Country laws governing personally identifiable
information (PII) vary greatly.
What is allowed in one country can be a violation inanother.
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
10/20
Cloud Computing
10
Marc Vael ISACA BelgiumAcross May 2010
5 Key Governance issues around Cloud Computing
Privacy : imperative for providers to prove to
customers that privacy controls are in place &
demonstrate ability to prevent, detect and react to
security breaches in a timely manner.
Information & reporting lines of communication need
to be in place & agreed on before service provisioning
commences.
Communication channels should be tested periodically
during operations.
5 Key Governance issues around Cloud Computing
Certification : providers will need to provide
assurance to their customers that they are doing
the right things.
Independent assurance from third-party audits and/or
service auditor reports should be a vital part of any
cloud computing program.
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
11/20
Cloud Computing
11
Marc Vael ISACA BelgiumAcross May 2010
Introduction
Security
Governance
Risks
Compliance
Recommendations References
AGENDA
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
12/20
Cloud Computing
12
Marc Vael ISACA BelgiumAcross May 2010
53%
Vulnerabilities on Cloud Computing
Authentication, Authorization, Accounting
User (de)provisioning
Remote access to mgt interface
Hypervisor
Lack of resource isolation
Lack of reputational isolation
Communication encryption
Lack of encryption of archives / data in transit
Impossibility to process data in encrypted form
Poor key mgt procedures
Random number generation issue for encryption key generationLack of standard technologies
No source escrow agreement
Inaccurate modeling of resource usage
No control on vulnerability assessment process
Possible internal network probing
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
13/20
Cloud Computing
13
Marc Vael ISACA BelgiumAcross May 2010
Vulnerabilities on Cloud Computing
Possible check on co-residence
Lack of forensic readinessSensitive media sanitization
Contractual obligations
Cross cloud applications creating hidden dependency
Conflicting SLA clauses
Excessive SLA clauses
No audit / certification available
Certification scheme not adapted to cloud infrastructure
Inadequate resource provisioning / investment in infrastructure
No policies for resource capping/limits
Data storage in multiple jurisdictions
Lack of info on jurisdictionsLack of completeness & transparency in terms of use
...
Generic vulnerabilities related to Cloud Computing
Lack of security awareness
Lack of vetting process
Unclear roles & responsibilities
Poor enforcement of role definitions
No need-to-know principle applied
Inadequate physical security procedures
Misconfiguration
System / OS vulnerabilities
Untrusted software
No/Poor BCP/DRP
No/Incomplete asset inventoryNo/Unclear asset ownership
Poor identification of project requirements
Poor provider selection
Lack of supplier redundancy
Poor patch mgt
...
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
14/20
Cloud Computing
14
Marc Vael ISACA BelgiumAcross May 2010
7 top threats on Cloud Computing
1. Abuse & inappropriate use of cloud computing
2. Insecure interfaces & APIs
3. Malicious insiders
4. Shared technology issues
5. Data loss / leakage
6. Account / Service hijacking
7. Unknown risk profile
CSA, Top Threats to Cloud Computing v1 , March 2010
Cloud Computing Risk Areas
Policy & Organizational risks
1. Provider Lock in*
2. Loss of Governance*
3. Compliance challenges*
4. Loss of business reputation due to co-tenant activities
5. Cloud service termination/failure
6. Cloud provider acquisition
7. Supply Chain failure
8. SLA challenges
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
15/20
Cloud Computing
15
Marc Vael ISACA BelgiumAcross May 2010
Cloud Computing Risk Areas
Technical risks
1. Isolation failure*
2. Malicious insider at cloud provider*
3. Management interface compromise*
4. Insecure/ineffective data deletion*
5. Malicious scans
6. Resource exhaustion
7. Intercepting data in transit
8. Data leakage
9. DDoS10. Loss of encryption keys
11. Compromise service engine
12. Conflicts customer procedures vs cloud procedures
Cloud Computing Risk Areas
Legal risks
1. Data protection risks*
2. Risks from changes in jurisdiction
3. Licensing risks
4. Subpoena & e-discovery
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
16/20
Cloud Computing
16
Marc Vael ISACA BelgiumAcross May 2010
Cloud Computing Risk Areas
General risks related to Cloud Computing1. Network breaks
2. Network mgt
3. Modifying network traffic
4. Privilege escalation
5. Social engineering attacks
6. Loss or compromise of operational logs
7. Loss or compromise of security logs
8. Customization
9. Integration with other applications
10. Backups stolen/lost11. Unauthorized access to premises
12. Theft of IT equipment
13. Natural disasters
Cloud Computing Top Risk Areas
Long term viability of provider.
Failure to perform agreed-upon service levels
impacting confidentiality, integrity and availability
Confusion where information actually resides.
Privileged user access to sensitive information.
Data isolation/segregation
Compliance to regulations & laws
Information recovery in the event of disaster.
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2010
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
17/20
Cloud Computing
17
Marc Vael ISACA BelgiumAcross May 2010
Introduction
Security
Governance
Risks
Compliance
Recommendations References
AGENDA
Cloud Computing Compliance Tools
ISO 27000
ISO 38500
ISO 20000
ISO 15489
ISACA CobiT
ISACA Val IT
ISACA Risk IT
BS 25999
Information Security Mgt
Corporate Governance Enterprise IT
IT Service Mgt
Records Mgt
IT Governance & Audit
IT Investment Governance
IT Risk Mgt
Business Continuity
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
18/20
Cloud Computing
18
Marc Vael ISACA BelgiumAcross May 2010
Introduction
Security
Governance
Risks
Compliance
Recommendations References
AGENDA
10 recommendations for proper Cloud Computing
1. Executive management vision decision support
2. Clear roles & responsibilities (RACI)
3. Link with the business plan (business case)
4. Validated & well articulated business risks (and
response)
5. Proper identity & access management controls
6. Methods for buy/build analysis with cost/benefit
end-to-end model approved by all relevant
stakeholders
7. Continuous communication
8. Inspect what you expect
9. Find a good lawyer who understands IT
10. Never outsource what you do/can not manage
anyway!
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
19/20
Cloud Computing
19
Marc Vael ISACA BelgiumAcross May 2010
Introduction
Security
Governance
Risks
Compliance
Recommendations References
AGENDA
Executives Guide to Cloud Computing, Eric Marks-Bob Lozano,
304 pages, May 2010
Enterprise Cloud Computing: A Strategy Guide for Business and
Technology Leaders, Andy Mulholland-Jon Pyke-Peter Fingar,
260 pages, April 2010
Cloud Computing: technologies & strategies of the ubiquitous
data center, Curtis Franklin & Brian Chee, 288 pages, February
2010
Above the Clouds: managing risk in the world of cloud
computing, Kevin Mcdonald, February 2010
Cloud Computing for dummies, Judith Hurwitz-Robin Bloor-
Marcia Kaufman, 310 pages, November 2009
Cloud Computing: a practical approach, Toby Velte-Anthony
Velte-Robert Elsenpeter, 334 pages, October 2009
References : Relevant Cloud Computing Books
-
7/29/2019 Across Cloud Computing Governance and Risks May 2010
20/20
Cloud Computing
Marc Vael ISACA BelgiumAcross May 2010
www.cloudsecurityalliance.org/
www.enisa.europa.eu/act/rm/files/deliverables/cloud-
computing-risk-assessment
csrc.nist.gov/groups/SNS/cloud-computing/
opencloudconsortium.org/
www.opencloudmanifesto.org/
www.cloud-standards.org/wiki/
en.wikipedia.org/wiki/Cloud_computing
searchcloudcomputing.techtarget.com/
cloudcomputing.sys-con.com/ cloudsecurity.org/
www.cloudaudit.org/
www.isaca.org/cloudcomputingresources
References : Relevant Cloud Computing websites
Mr. Marc Vael
Partner
Across Technology
Innovatie- en Incubatiecentrum
Technologiepark 3
9052 Gent
Tel: 09 243 60 00
Fax: 09 243 60 06
Mail: [email protected]
Contact information